05/04/18: GhostMiner C2 Protocol

Threat Summary

Overview

GhostMiner uses a novel method of evasion by utilizing a couple of nested PowerShell evasion frameworks (Out-CompressedDll and Invoke-ReflectivePEInjection). These methods employ file-less techniques to conceal the presence of the malicious program. GhostMiner consists of two separate PowerShell scripts. The first is Neutrino.ps1, which is used for the propagation of the malware via exploitation of specific applications, such as Oracle WebLogic and phpMyAdmin. The second is WMI.ps1 (WMI64.ps1 on x64 machines), which is used to install the XMRig cryptominer and mine the Monero cryptocurrency. WMI.ps1 will also attempt to remove any other miners on the system that it can identify.

Exploitation

Stages

A malicious attacker exploits a vulnerable server causing the victim’s server to be compromised by a compiled executable.

When the executable runs, it will invoke two separate PowerShell frameworks to unpack the executable payload. One component is named Neutrino.ps1, which is responsible for propagation of the malware. The second PowerShell script is WMI (64).ps1, which is used to download and execute the XMRig monero miner.

When executed, the Neutrino.ps1 script will initially communicate with the C2 server with base64 encoded messages.

The initial message is from the infected server to the C2 server to initiate communications.

The response message from the C2 server confirms receipt of the initial handshake message.

The infected server will attempt to execute the task indicated by the C2 server. This could involve cycling through random IPs to search for and exploit the applications listed in stage 6.

After the task has been executed, the infected server will inform the C2 server.

The second PowerShell script WMI(x64).ps1 is used to mine for cryptocurrency by downloading and installing the XMRig cryptocurrency miner. This miner will connect to a monero pool and begin mining. In addition, it will attempt to remove any other miners present on the server.

Prerequisites

The attacker must be able to send crafted packets to the target system.

Alert Logic Coverage

Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.

The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.

Recommendations for Mitigation

The attacker must have utilized a previous file upload vulnerability or remote code execution to utilize this vector. Ensure that you have a fully patched system to mitigate the risk of this occurring.